Mozilla Downplays New Firefox Bug

Mozilla is downplaying a reported bug in its Firefox browser. According to Mozilla, initial reports that the vulnerability could be exploited to execute code are false.

Mozilla is pouring cold water on reports of a severe bug affecting its Firefox browser. Reports of a new stack overflow vulnerability affecting Firefox
surfaced not long after the company released a new version to patch a critical bug in
the TraceMonkey JavaScript engine's JIT (just-in-time) compiler. On
Sunday, the SANS Internet Storm Center warned the vulnerability could
be exploited by hackers to execute code.

"In the last few days, there have been several reports (including one via SANS)
of a bug in Firefox related to handling of certain very long Unicode
strings," wrote Mike Shaver vice president of engineering at Mozilla.
"While these strings can
result in crashes of some versions of Firefox, the reports by press and
various security agencies have incorrectly indicated that this is an
exploitable bug. Our analysis indicates that it is not, and we have
seen no example of exploitability."

"On
Windows, Firefox 3.0.x and Firefox 3.5.x are terminated due to an
uncaught exception during an attempt to allocate a very large string
buffer; this termination is safe and immediate, and does not permit the
execution of attacker code," he continued. On Mac, in
Firefox 3.0.x and 3.5.x a crash occurs inside the ATSUI system library
because of what appears to be a failure to check allocation results.
Mozilla has reported the issue to Apple, but will look to implement
mitigations in Mozilla code in case Apple does not provide a fix,
Shaver said.

"On
Linux, the problem is similar to that on Mac: there is an abort in
system libraries (pango, glib, libc)," he wrote. "Due to the wide
variation of Linux libraries and versions deployed, and different
compilation options chosen by Linux distributors for Firefox, the
details of the crash report may vary between machines."

Last week, Mozilla
released Firefox 3.5.1 to fix the TraceMonkey vulnerability after
attack code surfaced. The latest version of the browser is available here.